BIS: GSIBs Risk IT Systems Weak

Unnamed GSIB Data Scientist /Risk Manager Demonstrates New Techology

In January 2013, the Basel Committee published the Principles for effective risk data aggregation and risk reporting (the “Principles”) to remedy deficiencies in risk management disclosed by the 2008 “Great Financial Crisis” (first euphemism of the post).  G-SIBS (Globally Systematically Important Banks) identified in 2011 and 2012 were required to fully implement the Principles by January 2016.

The BIS explained its action as follows:

“One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines and between legal entities. Some banks were unable to manage their risks properly because of weak risk data aggregation capabilities and risk reporting practices. This had severe consequences to the banks themselves and to the stability of the financial system as a whole.”

In March this year, the BIS issued a progress report on implementation of the Principles.  Italics courtesy of AA.

“The latest assessments by supervisors show that banks’ level of compliance is unsatisfactory and the overall implementation progress remains a source of concern to supervisors. Based on supervisors’ assessments, only one bank fully complied with the Principles, even though the implementation deadline for global systemically important banks (G-SIBs) identified in 2011 and 2012 had lapsed in January 2016. In view of the unsatisfactory assessment results, banks are urged to step up efforts to comply with the Principles. Supervisors are expected to monitor progress and call on banks to address observed weaknesses.” 

There were some 28 G-SIBS as of November 2012. 

One out of 28 is roughly 3.6% compliance.

Not a very impressive performance from these megabanks who tout their capacity to provide state-of-the-art banking services based not only on their self-proclaimed profound intelligence but also their ability to perform complex mathematical analyses and calculations. These are also the same banks that have convinced their regulators that their internal risk models are sufficiently robust so that they should be used to determine their “true” exposure to various risks and, thus, their required capital under the Basel Framework.

The BIS progress report indicates that these self-assessments may be “overly optimistic” (second euphemism of the post). 

What’s even more disturbing is the BIS assessment of the reasons for the failure to reach compliance. You can read that in detail in Appendix 2.  Here’s the BIS’s take on “technical shortcomings”.

“Difficulties in execution and management of complex and large-scale IT and data infrastructure projects, such as resources and funding issues, deficiencies in project management, and coordination with other ongoing strategic programmes.

Overreliance on manual processes and interventions to produce risk reports, although some manual processes are unavoidable.

Incomplete integration and implementation of bank -wide data architecture and frameworks (eg data taxonomies, data dictionaries, risk data policies).

Weaknesses in data quality controls (eg reconciliation, validation checks, data quality standards).”

On a positive note, the BIS may have just supported US corporation and banks’ contention that they are incapable of determining the ratio of their CEO’s pay to the average for all other employees.

If we accept that as a working hypothesis, would you buy a product or place a deposit with a bank unable to measure its risk exposure or perform simple math (Dodd Frank)?

AMF Study: Bank De-Risking in the Arab Region -- Big Deal or Not?

AA: As Usual on Top of the Story.  It Looks a Lot Scarier Up Here. 

In an earlier post I outlined why the Hong Kong Monetary Authority's appeals to its banks to "manage correspondent risks" rather than "de-risk" were likely to fall on deaf ears. Today I’d like to continue exploration of that topic by looking at September 2016 Arab Monetary Fund/IMF/IBRD study “Withdrawal of Correspondent Banking Relationships (CBRs) in the Arab Region”. Context – Survey Coverage The report is based on a survey of 216 banks in Algeria, Bahrain, Egypt, Iraq, Jordan, Kuwait, Lebanon, Mauritania, Morocco, Oman, Palestine, Qatar, KSA, Sudan, Tunisia, UAE, and Yemen.  One country was excluded from “some analysis” as it is “perceived as a high risk area”. AA is guessing Yemen, though it is not the only “high risk” name in the list.       Details Apparent Modest Impact 55% of the banks surveyed did not experience any problems with closure of CBRS.  1% did not respond. 5% reported an increase in CBRs.  Only 39% (84 out of 216 banks) had CBRs terminated.  Of this latter group roughly 63% (53 banks) found replacement CBRs, and another 17% (14 banks) developed “workarounds”.  Perhaps an indication that all correspondents are not de-risking? Only 20% (17 banks or 8% of the 216 banks surveyed) did not find a solution.    On this basis, it doesn’t seem that de-risking in MENA is a major problem at least at the macro level. Two caveats.    First, “limitations” in the survey (see below) preclude making a definitive assessment on impact as well as on the motive(s) for de-risking.   Second, the number of accounts closed increased over the survey period 2012-2015 (Figure 5), indicating that affected banks are increasingly being disconnected from international finance.          Primary De-Risking Banks As expected US banks were the main de-riskers followed by the UK and Germany. Interestingly of the ten countries’ banks named as de-riskers, banks in Saudi were in 4th place and the UAE in 8th place.  AED and SAR accounts were closed. It’s not clear from the survey if the UAE and Saudi banks are solely responsible for the closures.  It doesn't seem unreasonable to assume that they were at least partially responsible. If so, an intriguing but unanswered question.  Were their actions motivated by these banks’ own concerns or local regulations? Or are they defensive measures to prevent their foreign correspondents from “de-risking” them? Survey “Limitations” As outlined below, these limitations lessen the survey’s utility. Presumably some of this reflects a conscious decision to avoid creating a knock-on effect and potentially worsening the situation by providing too much public information. Now to the limitations. The size and location of the affected banks is not disclosed.  If major banks are being de-risked, the impact is likely to be greater than if smaller banks are.  If the de-risking is focused on one or two countries, then what appears to be manageable problem is not –at least for the affected countries. It’s highly likely that correspondents did not provide a concrete reason for terminating a CBR. But rather used such words as “strategic review of our business”, “change in focus”. If you ever have had to let people go or were on the receiving end yourself, you know that these events are couched in euphemisms like “downsizing”. One doesn’t fire an employee.  Rather his or her position is “eliminated”.  Nothing personal there at all.  We’d love to have you but we don’t have a “position” for you.  The same with closure of accounts.  If the reason for the firing or closure of an account is not directly “personal” or concrete, it’s hard for the affected party to mount an objection.  How do you argue your case?  Do you really expect the institution to change its board-approved strategy so you get to retain your job or account?        To get around this likely scenario, survey respondents were asked to ascribe motives to the termination of CBRs.  The survey provides 16 possible “drivers” of the decision to terminate CBRs.  Respondents were free to select more than one and were asked to rank them from 1 to 16--which AA takes as an invitation to rank all of them.  Thankfully not every respondent did.  There were some 234 votes from the 84 banks.  Only 17% of the maximum possible number of responses.    There are two problems though.    First, respondents are not only being asked to read their correspondents’ minds, but also to do so with a high degree of precision. Second, many of the drivers are similar.  One might well need an electron microscope to parse these in any practical sense.  This compounds the dubious first assumption of mind reading skills. Some examples of similar/duplicative motives.  Note the numbering below follows the rankings on pages 11-12 in the report.    Driver 1 (overall risk appetite) seems to include Driver 4 (change in sovereign risk rating).  As to 4, if indeed it is an accurate assessment, then shouldn’t all banks in Country X be affected more or less at least by the same correspondent? Thus, one would find that all or most banks in Country X had their CBRs terminated.   If that’s not the case (and the AMF has the data), then this Driver should be excluded.     There are 10 Drivers related to regulatory reasons. Drivers 2, 5, 6, 8, 9, 11, 12, 14, 15, and 16 overlap to a large extent on AML/CFT, though those aren’t the only regulatory issues mentioned. It boggles AA’s mind that the survey constructor thought that participants would be able to provide such granular assessments of what their correspondents’ motives were.       Third, it also seems (note that caveat) that in ranking drivers no adjustment was made for this overlap.   The summary puts AML/CFT in fifth place.  This seems based Driver 5 being in fifth place by number of “votes” while ignoring the votes for all the other AML/CFT related drivers.     I think it would have been better to have a few very broad primary motives, e.g., credit, profitability, regulatory, refusal/failure to provide requested information.  Participants could have then been asked to ascribe a percentage to each.  This more limited menu probably would be not only easier but more appropriate given the inherent limitations of mind reading.     Follow-up questions could have been used to attempt to parse sub-drivers with economy in options.  For example, was refusal/failure to provide requested information due to regulatory impediments (bank secrecy) or internal bank decision?  Were regulatory concerns focused on AML/CFT, sanctions, or other (e.g. FACTA)?  Interestingly Driver 16 and part of Driver 8 consist of failures by the respondent bank to provide sufficient AML information, in which case one might argue that the correspondent was obliged by regulation to terminate the CBR or decided failure indicated not only bad faith but probable bad behavior.    The same with Driver 15 imposition of sanctions.  DPAs would be another example. This is an important point.  If the correspondent is "forced" to withdraw services, this is not "de-risking" but compliance. Focusing a question on this issue would be most helpful.   The survey noted that banks that found replacement CBRs or developed workarounds faced increased costs, but no data is provided on the relative increase in costs. All this being said there is useful information in the study.  Hopefully, it will serve as a basis for further examination of this issue with perhaps answers to some of the above open items as well as a fine tuning of questions. There's an Occasion Every Day! One quibble.  There’s always at least one and usually more with AA. 1.3 Hence, the “de-risking” phenomenon involves financial institutions’ practices of terminating or restricting business relationships with clients or categories of clients to avoid rather than manage risks. It is a misconception to characterize “de-risking” exclusively as an anti-money laundering/ combatting terrorism financing issue. In fact, “de-risking” can be the result of various drivers, such as concerns about profitability, prudential requirements, anxiety after the global financial crisis, and reputational risk.    The AMF is right to indicate that the motives for “de-risking” don’t relate solely to AML/CFT.  Sanctions and other regulations are important as well. I’d argue that termination of unprofitable relationships is not “de-risking” nor is restructuring/eliminating lines of business to meet prudential regulations (increases in capital charges).  That’s simply common business sense.  If one can’t make a profit selling a good or providing a service, one stops doing so if there is no way to increase pricing or lower costs sufficiently.  No doubt many of the small CBRs being tossed do not meet internal ROA targets and would require massive increases in pricing to do so.  At some point too banks like any business need to focus on key LOBs and customers.  “80% of the revenue comes from …”  If you've been around long enough, you know the last bit to that sentence and the business strategy it supports.  "Dabbling" or "hobbies" (my mentor’s descriptive terms) divert resources and attention from more profitable customers and LOBs. Also it’s not clear to me how anxiety is playing a role. Clearly any regulatory/prudential anxiety is already covered by those topics.  If there are concerns about credit quality, then measures theoretically could be put in place to cover these.  Pay against receipt of funds only (no overdrafts), require cash collateral for residual risks (check deposits bouncing, for example), and increase pricing for the additional special handling required.  But, if a relationship is marginally profitable, what's the point of all of this when the time and effort might be spent on other customers or LOBs where real money could be made?  And when 100% of the risks are unlikely to be covered despite all the elaborate risk management?  But let's assume a correspondent exerts the effort. At this point, “risk management” might result in making an offer that can’t be accepted, equivalent to withdrawal of CBR. No doubt sparking the argument that “risk management” of this sort was really disguised “de-risking”.

Bank De-Risking Likely to Trump Calls for Financial Inclusion

For Some Activities Risk Avoidance Makes More Sense Than Risk Management

On September 8^th, the Hong Kong Monetary Authority (HKMA) issued a circular to the CEOs of all Authorized (financial) Institutions (AIs) in the HKSAR (Hong Kong Special Administrative Region) entitled “De-risking and Financial Inclusion”.

The circular sets forth the HKMA’s expectations (read “instructions”) that AIs adopt a risk based approach (RBA) to implementing anti-money laundering AML) and countering the financing of terrorism (CFT) regulations and cease the practice of de-risking, that is refusing to open or maintain accounts for certain customers.

As outlined below, the HKMA is rowing against some very powerful tides.  The circular is unlikely to have the stated desired effect.

Some quotes from the circular to set the stage for this post.  I’ve added boldface to highlight certain points. 

Noting the progressive tightening of AML regulations over recent years the HKMA states “While it is important to ensure that AML/CFT controls are sufficiently robust and comply with all the relevant regulatory requirements, the HKMA expects AIs to adopt a risk-based approach (RBA) and refrain from adopting practices that would result in financial exclusion, particularly in respect of the need for bona fide businesses to have access to basic banking services.”  

In a similar vein, the HKMA defines “de-risking” as “The phenomenon of banks declining or discontinuing business relationships with customers or categories of customers to avoid, rather than manage, the risk involved. “

On the subject of an RBA, the HKMA makes the following points: 

"RBA does not require or expect a “zero failure” outcome. While AIs should take all reasonable measures to identify ML/TF risks at the account opening stage and, for existing customers, on an ongoing basis, it is unrealistic to expect that no ML/TF activities would ever occur through the banking system. AIs are not required to implement overly stringent CDD processes with a view to eliminating, ex-ante, all risks. Otherwise, such an approach would result in a large number of bona fide businesses and individuals not being able to open or maintain accounts. CDD is only one part of an effective AML/CFT regime. AIs are also required to implement a system that can monitor and detect suspicious transactions in order to report them to the relevant authorities and take the necessary mitigating measures, such as enhanced CDD."

News reports suggest that the HKMA's action was occasioned by several banks “tossing” existing customers.   Bloomberg refers to the alleged abrupt closure by HSBC of accounts of a long standing client that is an offshore fund. 

That’s borne out in the circular itself which also notes the refusal of some unnamed FIs in the HKSAR refused to accept new clients or set “onerous” requirements.  See the annex to the circular.

The HKMA’s circular follows one issued in late August by five US regulators of financial institutions in the country.  Yes, you read that right “five”.   Apparently one regulator is insufficient for the USA's financial sector.  It's that big!  That circular also contained an appeal for banks to adopt a RBA, but did not include the HKMA’s statement that it didn’t expect RBA AML/CFT to prevent all illegal transactions.  Instead the five US regulators offered the comforting thought that “the Treasury and the FBAs do not utilize a zero tolerance philosophy that mandates the strict imposition of formal enforcement action regardless of the facts and circumstances of the situation”.  

I trust like AA you find those words comforting in a particularly baffling way.  Are these regulators saying that existing regulations allow them to take formal enforcement action regardless of facts and circumstances but that they will kindly forbear from exercising these powers?  Instead might they apply strict non formal enforcement actions? On that score, what is a “strict” imposition and how does it differ from a “strict” enforcement action?  Or are they saying that existing US laws and regulations are so written that they could impose draconian penalties for a “slip or two” in compliance?  Finally, if the posture of the regulators is based on a “philosophy” and not the law, could that “philosophy” change with the next administration? If that’s the case, should banks be advised to prepare for the worst?       

The widespread use of the US dollar in both commercial and financial transactions and the propensity of the US to use that position to levy fines and impose extraterritorial requirements make US regulations and the “philosophy” of the US regulator of paramount concern to internationally active banks. 

The HKMA may have “expectations” but Hong Kong and other foreign banks are likely to be more sensitive to what the US “expects” as evidenced by its past behavior.   Thus, the HKMA’s appeal is almost certain to collide with banks’ self-interest and certain “objective conditions”.

First, banks are profit oriented not public service institutions despite some manifestly absurd industry positioning / brand development advertising campaigns that are currently running. 

In other words, profit is job #1.  Financial “inclusion” like charity work is well down the list of priorities.  And is a miniscule part of activities.  Thus, despite its ad campaign running on the Bloomberg TV, Bank of America Merrill Lynch doesn’t devote a major portion of its efforts to bring clean water to folks in Africa.

Profit on an account is a function of revenues less costs.

Providing bank accounts and related services is a low margin high volume business. Contrast that with investment banking transactions where the volumes are significantly lower but the margins are immense.  

Considering only operating costs, many SME accounts at best offer marginal profitability. We’re talking about maybe tens of thousands of dollars profit per account for many accounts. 

When the costs of customer due diligence, monitoring, preparing and filing of suspicious transaction reports are included, profit is even less.  Customer due diligence (CDD) at the inception of a relationship is particularly labor intensive.  Much of the subsequent monitoring can be done via computer programs, but at the end of the day someone has to review the reports generated, decide whether to investigate further, and ultimately whether to approach the customer for more information and/or file a suspicious transaction report STR).  

On that score, banks file a good portion of their STRs for defensive (CYA) reasons.  It demonstrates they have a working compliance system.  If something untoward about a customer turns up in the future, the bank can say to the regulators “But I reported to you.  By the way you never got back to me.”  Thus, monitoring “risky” customers taken on to promote financial inclusion may trigger the need for a CYA STR even if the bank thinks the customer is "clean".  One can't be too careful because regulatory hindsight is often more than 20/20.

Fines take a potential bite out of profit.  But by increasing expenses they can also affect the capital a bank is required to maintain for operational risk under the Basel framework.  Lower Basel capital adequacy ratios can affect credit and stock ratings.  Increasing capital can lead to declines in ROE if the profits do not cover the cost of capital.  If capital cannot be increased, then the bank may have to reduce certain other activities (e.g. credit or market risk related) thus reducing income/profit.  

Second, it’s important to remember that banks are free to select or reject customers according to their own criteria.  Even in countries that have laws to prevent discrimination, banks may reject customers as long as the as criteria used are business principles-based, e.g., risk not race and are consistently applied.  Not every applicant for a new loan or new account will get one.  Not every customer with an existing loan will be granted a renewal or extension.  Similarly, not every customer with an account is guaranteed the right to retain it. So the appeal is a request not a command.

Third, there are a variety of objective conditions and not simply bloody-mindedness that are pushing banks to “de-risk”.

Chief among these are regulatory and legal risks, but there are others.

Regulatory Risks.

Billion dollar fines concentrate the minds or bankers quite sharply.  Settlements with regulators include more than fines.  Often settlements are (legally) structured as deferred prosecution agreements or DPAs.  As the name suggests, the DPA holds a sword over the head of the financial institution and compel compliance on an extraterritorial basis.

But don’t take AA’s word for it. 

Here are two 2016 quotes attributed to Assistant Attorney General Leslie Caldwell. “[w]e can require that the banks cooperate with our ongoing investigations, particularly in our investigations of individuals. We can require that such compliance programs and cooperation be implemented worldwide, rather than just in the United States. We can require periodic reporting to a court that oversees the agreements for its terms.”

Under the right circumstances, the government “will not hesitate to tear up a DPA or NPA and file criminal charges, where such action is appropriate and proportional to the breach.”

Here are some illustrative examples of DPAs.  Standard Chartered 2014 with DFS New York State.  The consent order triggered significant de-risking by SCB in the UAE as you may recall.  Here’s  HSBC 2012. 

So if you were a financial institution considering opening or maintaining an account relationship, would one of your key risk mitigation concerns be avoiding the risk that a regulator could suddenly be dictating how you run your business worldwide?  See the requirements in the HSBC DPA Paragraph #5.  Note not only the number of requirements but also the short leash in later points Paras 8 and 14-16. 

But as they say on late night TV.  “Wait there’s more”.

­Civil Lawsuits

Lawsuits such as that against the Arab Bank or the one in progress against HSBC, Barclays, Standard Chartered, the Royal Bank of Scotland and Credit Suisse are no doubt worrisome.  The latter suit is predicated on these banks’ admission of transferring money for Iran which the plaintiffs assert helped finance terrorist attacks against US military personnel in Iraq. There is to my knowledge no assertion that these banks actually transferred money for those attacks.  More here.  

Banks might be forgiven--particularly in light of the Arab Bank case—for questioning whether fair trials or impartial juries are available in certain jurisdictions.

Both the regulatory and legal actions highlight what is perhaps the key factor here.  Banks are subject not only to their own regulators and laws but to those of other countries.  The primary role of the US dollar in international financial transactions exposes not only major international banks but also smaller banks to US enforcement or legal actions.

Staff Risks

International banks operate in many countries.  Staff attitudes toward government regulations vary greatly.  In many countries the population treats their own government's laws and regulations as suggestions rather than binding constraints.  In some countries as a direct challenge to find a creative workaround.  An even more casual attitude often applies to laws of foreign countries.   Bank managements have to deal with the staff they have not the staff they wish they had.  In which case exposure can be neatly mitigated by not doing certain types of business or dealing with certain customers.  Eliminate discretion and one eliminates potential problems.

Recidivism Risk

If a bank is unfortunate enough to have encountered enforcement action, a further “slip” could trigger a severe response from at least one particular country, e.g., “tearing up DPAs” “filing criminal charges” as AAG Caldwell is quoted above.  Or additional fines or additional business conditions imposed.  Or even the threat of such action could cloud an institution’s stock price, customer confidence, etc.  Here’s an example.

Conclusion

When the risk reward ratio is highly skewed, the most effective risk management is risk avoidance.  

I suppose I could construct an RBA for running with scissors. But I will forgo running with scissors rather than “managing the risk” of doing so.  Simply because the potential return is dwarfed by the risk.

Banks are likely to do the same with respect to financial inclusion.   The lesson of Nogales Arizona and other similar stories of US banks closing branches on the US-side of the border with Mexico and “tossing” customers may be illustrative on this point.  Banks are likely to be much less solicitous of foreign than domestic customers. And the solicitude for domestic customers seems minimal in these cases. 

As outlined in the above press report, the US banks apparently claimed that their domestic de-risking was related to revised regulations requiring additional regulatory reporting and closure of “risky” accounts.  If you close your branch, you neatly “solve” both problems.